'Customers should watch for alerts to mobile numbers and e-mail ids to flag any strange transactions.
'Also avoid using any ATM, which seems to have an attachment to the card-reader and use a credit card instead of a debit card', says Devangshu Datta.
Cyber-breaches and data-leaks affecting India have been in the headlines recently.
At one level, the successful cyber-attack on the K K Nuclear power plant is the most frightening.
This emphasises the vulnerable state of India’s power sector infrastructure.
At another level, the Pegasus-driven surveillance of Indian activists is the most disturbing.
It suggests a pattern of systematic, illegal surveillance targeting dozens, if not hundreds, of Indian citizens over a sustained period.
All the evidence so far, also indicates that it was carried out by state actors.
The third cyber-breach that came to light, however, sets a world record.
A data-trove, “INDIA-MIX-NEW-01”, with the details of some 1.3 million debit and credit cards, was offered for sale on the Dark Web on October 28, at a website that calls itself the Joker’s Stash.
More than 98 per cent of these cards were issued by Indian banks.
This is the largest single data-set of cards ever offered for sale.
Each card record is being offered for the equivalent of $100 (payable in cryptocurrency).
This is a good index of how valuable this stash is considered by cyber-criminals.
Usually credit card and debit card details are available for as little as $1/card.
The cyber-security firm that broke the news, Group-IB, is incorporated and headquartered in Singapore while being staffed and owned by a collective of Russian researchers, headed by Ilya Sachkov.
Group-IB estimates most of the card-data was picked up by “skimming”, using compromised point-of-sale (PoS) devices in shops where the cards in question were swiped.
Some of the data may have been harvested from compromised ATMs.
Physical skimming is most likely for several reasons.
The data on offer includes Track1 and Track2 data.
The magnetic strip on a card includes up to three tracks, each containing the information required for a transaction.
This includes name, card number, expiry, sometimes the CVV (card verification value), plus addresses and other discretionary information used for fraud protection purposes.
Many cards only have two tracks.
These tracks are read when the card is swiped, in a PoS device, or at an ATM.
In an online transaction, the tracks are not read.
The verification is done by inputting the CVV or CVC (card verification code) -- the three-digit or four-digit number written at the back of the card.
The offer of track data indicates that the details were harvested via physical swiping.
Also, the collection includes cards issued by various credit card companies and banks in a nearly random mixture and ratio.
About 18 per cent of the cards belong to a single Indian bank.
This mixture suggests the data was taken from many compromised PoS devices, or from multiple compromised ATMs, rather than from a single compromised ATM.
That’s because a single ATM will tend to have a much higher percentage of cards issued by that specific bank.
The utility of Track1 and Track2 data lies in the fact that this can be used to clone a new card.
The details can be inscribed onto a new magnetic strip and the cloned card used for physical transactions.
Two-factor authentication is not necessary for many online transactions outside India and, for that matter, a clever cyber-criminal may be able to fool 2FA if she can change the associated phone number, since Track1 and Track2 contain many required details for authentication.
Should you be worried?
According to the RBI guidelines, the customer holds zero liability if an unauthorised transaction takes place in a third-party breach, where the deficiency lies neither with the bank, nor with the customer, but elsewhere in the system and the customer notifies the bank within three working days of when the unauthorised transaction took place.
This means basically that customers should watch for alerts to mobile numbers and e-mail ids to flag any strange transactions.
If you are not in the habit of using your card or cards much, a small online transaction should be enough to check you are receiving alerts.
Beyond this, there is not a great deal that you can do, as a private citizen.
However, there are a few precautions worth taking.
One is, avoid using any ATM, which seems to have any attachment to the card-reader.
Also use a credit card in preference to a debit card.
This is because the credit card has a daily limit and it is not possible to rack up more than that in a single day.
It is possible to use a debit card for bank transfers to clean out the account.
Photograph: David Becker/Reuters